LOGbinder Blog

Updates, Tips and News   RSS Feed  

«  SuperCharger for Windows ... | LOGbinder News – February... »

Syslog TCP survey and the Public Beta Program

Fri, 20 Mar 2015 15:34:12 GMT

We need some input from you about pushing our data to SIEM via Syslog. As you know, while we support Syslog UDP forwarding (also file outputs for both Syslog CEF and Syslog LEEF), LOGbinder does not currently support Syslog TCP output.

The questions we need your help to answer are:

  • Would you use Syslog over TCP?
  • Do you currently consume any encrypted syslog feeds with your SEIM? Which variation of syslog do you use? TLS, syslog-ng? Please be as specific as possible.

The reason we ask is that to develop Syslog over TCP raises some complicated issues that we would have to get right. What we do with the output when the TCP receiver goes down? We can’t just save up the data-- for a number of security, storage and logistical reasons. So we anticipate Syslog over TCP to allow a 2nd destination address. If both destinations are down our software would have to fail.

Another issue, perhaps a more complicated one, is the encryption of the Syslog TCP transmission, since there is no “standard” for TCP broadcast encryption. LOGbinder works with any SIEM, so you can understand our dilemma. Do we support Syslog over TLS, syslog-ng or what? And how “standard” are those implementations?

To date we’ve not had a serious request to include Syslog over TCP or encryption. We've had inquiries over the years, but in each case, when it came down to it, customers much preferred Syslog file output. Syslog over TCP has been one of those things people ask us about, but seem to have no strong feelings for. Recently the number of inquiries about Syslog over TCP has increased but we can’t tell how serious they are

We'd love to hear from our readers about this. What are your thoughts about pushing our events to SIEM via Syslog over TCP? Is it necessary? What is your experience with the various flavors of Syslog via TCP encryption?

If you wish to help us out with this topic, email Queries@LOGbinder.com. Please include the following information:

  • your current SIEM or SIEMs (and planned, if different),
  • tell us if you are a current LOGbinder customer (or VAR), and which product(s),
  • what outputs are used and/or recommended (in ranking order),
  • Answer: Is Syslog over TCP output necessary, would you prefer having over current output options, (yes, no, perhaps) and if yes (or perhaps), which encryption method.
  • any other important stuff “on topic” you want us to know.

Send email to queries at LOGbinder dot com. We really appreciate the help!

Customer feedback led to an improved product (again)

We are fortunate enough to have customers who give us feedback. We use that feedback to improve the product for everybody. A case in point from last week: One of our enterprise products was missing a critical field element when reporting 2 events. Our lab testing missed it. But a customer discovered the problem using our beta version, and within 24 hours we released an update to the beta version that fixed it!

The LOGbinder software public beta program

Our beta program has historically been a private affair for select customers. We are happy to announce that we are making our newest software available for anybody who wants to participate in the LOGbinder Software Beta Program. Simply browse to our website's Resources page then click on Version History, choosing the product you wish to evaluate. A direct link is here: https://www.logbinder.com/support/history. This page provides an excellent window into the value that support and maintenance contracts add to your licensed LOGbinder software.

Webinar: “SharePoint Defense-In-Depth Monitoring: What to Watch at the App, DB and OS Level – and How?”

Many organizations have made good progress with implementing SIEMs but remain on the bottom rung of the SIEM maturity model because they are only seeing security activity at the lowest layer: the operating system and network. Most information theft takes place at the higher layers of database and application. So why are we still so blind at those levels?

SharePoint is a great example of this dilemma because it is a high-level application with a large attack surface. Bad guys can target SharePoint at 4 levels: Application, Web server, Database and Operating system level. Which levels would your SIEM alert you to right now?Which levels do you have no clue about if you are under attack right now?

In this webinar Randy Franklin Smith will:

  • explore all 4 auditing levels of SharePoint,
  • show you how to enable auditing,
  • show which events you should be monitoring, and
  • show how to get that information into your SIEM – where it belongs.

This will be great information for security analysts who need to make the case for SharePoint security. LOGbinder is proud to sponsor this webinar.

Don't miss this Real Training For Free ™ event. Click here to register. If you can’t make the live event on April 28, 2015 at 12:00 (UTC -5:00), register anyway to get the free recorded version.


Comments disabled

powered by Bloget™